Changing passwords for websites

Comments

  • gveres
    gveres
    Community Member

    Is there some document that describes the proper way to update your password on a site? Last night I went through watchtower and updated passwords for all the sites that it said have been compromised. I found that some of the time it recognized the login entry was getting a new password but at least half the time it didn't recognize it and so I had to go find the new password that was generated in the password list, then copy that password, then go find the login entry for the site and edit it to update the new password.

    So, the question is, are we doing it wrong? Is there a document that tells us how to update a password on a site that will 100% of the time result in 1password automatically updating the login entry for that site so that we don't have to do it manually? I can figure out when it does the right thing and when it doesn't, but my 72 year old mother can't. I need to tell her how to update her passwords that is going to work every single time.

    Thanks
    Greg

  • AGAlumB
    AGAlumB
    1Password Alumni

    @gveres: I've got good news and bad news. The good news is that we have a nice general guide to password changes, from the perspective of 1Password:

    Change your passwords and make them stronger

    The bad news is that there is no "how to update her passwords that is going to work every single time": password change processes vary wildly from one website to another, so there's no magic here. A lot of it will just be you just trying it. It doesn't happen to me a lot since I deal with this stuff day to day testing things for 1Password, but I have absolutely encountered cases where it was hard for me to even figure out how to change the password for some sites. I even recall one time where, after a long search, I contacted them and they told me this wasn't even possible: their site had no such functionality. Rare, but less rare is really having to dig around through website account settings to find where to do it.

    Regarding the issue you're describing though, while it's impossible to say without knowing specifics, it sounds like you're either missing the part where you save the new password in 1Password, or update it on the site. The website will not let you sign in using what you have in 1Password if they both don't agree. That's the key.

  • gveres
    gveres
    Community Member

    @brenty: Hi, I think you might have misunderstood what I was getting at. I understand that every site is different and how you get to the "change password" feature of every site is unique to that site. That's not what I was looking for or talking about.

    Assuming that you have already found the site's change password feature, I have found that 1password is inconsistent in it's ability to recognize the password change and therefore store the new password in 1Password.

    I will read the guide you linked to in order to see if I am doing something wrong. But when I get 1password to generate a new password for the login entry, I kind of expect it to update that login entry. Let me go read the guide before I elaborate more. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @gveres: I did misunderstand. Thank you!

    Assuming that you have already found the site's change password feature, I have found that 1password is inconsistent in it's ability to recognize the password change and therefore store the new password in 1Password.

    You're right that 1Password isn't always able to detect a password change. It goes back to website differences, and also the fact that there are not "password change" form standards like there are for login forms. Nine times out of ten, if you press Enter/Return to submit the form, 1Password can detect that. Clicking a button to send the form is harder for 1Password to detect because it is often difficult (to put it mildly) to determine what the button is doing. But it's something we're always working to improve, so if you encounter an issue like that let us know the URL so we can investigate.

    To be clear, I am almost certain you did nothing wrong. It should "just work". The reality is that it doesn't always for various reasons, and we need to keep at it. I'm sorry for any inconvenience caused in the mean time. :blush:

  • gveres
    gveres
    Community Member

    Ok. Might I suggest that in addition to "it should just work", you guys could / should build a workflow for changing passwords? I will switch to hitting enter to see if I get better success, but once I generate a new password, why can't 1password ask if I want to change to this password for this login entry? And if there are multiple login entries for that site, let me choose which one I am updating? And if the update fails, which can be common if the site has rules that don't match your password generation scheme, then there should be a button on the login entry to revert to the previous password. I think that would make it much better for changing passwords than preying that 1password recognizes the update. Something like this is a workflow I can tell my parents to follow every time they need to change a password and I can be assured that it will work.

  • ag_ana
    ag_ana
    1Password Alumni

    @gveres:

    but once I generate a new password, why can't 1password ask if I want to change to this password for this login entry? And if there are multiple login entries for that site, let me choose which one I am updating?

    Indeed, this is how 1Password is designed to work. If you want to let us know what websites this is happening with, we can certainly test and see why they behave differently from the default behavior.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @gveres: If the update fails, you haven't lost anything: you'll still have the password. When you change the password in a Login item in 1Password, it keeps the password history under "previously used passwords". And if you use 1Password to generate and copy a new password for a site, are successful changing it there, but didn't update that Login in 1Password, you'll still have a Password item with it which was saved automatically:

    If you used the password generator and can’t find the password to sign in

    1Password isn't perfect, but it's got your back. :)

  • gveres
    gveres
    Community Member

    @ag_ana: It doesn't seem to be that this is how 1password is designed to work according to @brenty and from what I have seen (btw, I have been using 1password since version 2 or 3). From what I have seen and what @brenty said, 1password is designed to "hope that it recognizes the password change" and then present you with the "create new" or "update existing" dialog. But the problem is that there are many sites where it can't recognize the password change. So I am suggesting that once you press the "generate password" button in mini when it is showing you a login entry for the page you are on, 1password would (at that point) present you with the option to update the password for that entry or one of the other entries for that site. This avoids the problematic detection of the password change operation.

    And if you do that, then I think you also need a "revert to previous password" operation because the site might reject the password I just generated. In that case, I need a very easy way to revert to the previous password and try again.

    @brenty: yes I know that the generated password shows up in the passwords category. That is how I do it today, but this is really difficult to explain to my mother about how to update her passwords. I am trying to help suggest a work flow that is easy enough that we can explain to our mother's how to use it and that is fool proof and works 100% of the time.
    I don't have a problem understanding how to change a password in 1password since I have been using 1password since v2 or v3, but try to explain all this to somebody who barely understands how to use a computer and you quickly run into problems and it gets way too complicated. I love 1Password and I think everybody should be using it for their own safety, but it has to be super easy to use.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @gveres: I think you and Ana are just misunderstanding each other. This was your exchange:

    but once I generate a new password, why can't 1password ask if I want to change to this password for this login entry? And if there are multiple login entries for that site, let me choose which one I am updating?

    Indeed, this is how 1Password is designed to work. If you want to let us know what websites this is happening with, we can certainly test and see why they behave differently from the default behavior.

    I also thought you meant that 1Password can offer to update login credentials when you change them on a site, since that's what we've been discussing here all along. But it seems like you've moved the goalposts with your last couple comments and are talking about something else entirely: prompting you when you generate a password, not when you use it on the site. More on that later.

    From what I have seen and what @brenty said, 1password is designed to "hope that it recognizes the password change" and then present you with the "create new" or "update existing" dialog.

    I don't see where I said that. :lol: 1Password is incapable of "hope"...but maybe someday. :eh:

    But the problem is that there are many sites where it can't recognize the password change. So I am suggesting that once you press the "generate password" button in mini when it is showing you a login entry for the page you are on, 1password would (at that point) present you with the option to update the password for that entry or one of the other entries for that site. This avoids the problematic detection of the password change operation.

    It's an interesting idea, but there's at least one big reason why I doubt we'll do that: it would be incredibly annoying. Imagine that you're generating a few passwords for different things, or just trying to find a good one (on a site that has onerous "requirements", for example): you're talking about each new generated password popping up a window to "Update (or Save New) Login". One of the most common complaints we've had recently is that 1Password saves a Password item automatically, even though it's done that for years, because some UI changes have made this more obvious. I don't personally think that "annoyance" outweighs the importance of the "safety net" of having the Password saved just in case...but I can absolutely see that having an autosave window come up each time would annoy even more people.

    And if you do that, then I think you also need a "revert to previous password" operation because the site might reject the password I just generated. In that case, I need a very easy way to revert to the previous password and try again.

    As I mentioned in my previous post, you can already view password history under "previously used passwords" in the Login item even after it's been updated.

    yes I know that the generated password shows up in the passwords category. That is how I do it today, but this is really difficult to explain to my mother about how to update her passwords. I am trying to help suggest a work flow that is easy enough that we can explain to our mother's how to use it and that is fool proof and works 100% of the time.

    There is no such thing since, as we've been discussing, it depends entirely on the website. Some have a quick two step password change process. Others are much more convoluted and, in some cases, even involve postal mail (seriously). But what we do have is a very straightforward and well-documented process for updating account information in 1Password:

    Change your passwords and make them stronger

    But if you -- or your mother -- go through that and have feedback about how it might be improved, please let us know.

    I don't have a problem understanding how to change a password in 1password since I have been using 1password since v2 or v3, but try to explain all this to somebody who barely understands how to use a computer and you quickly run into problems and it gets way too complicated. I love 1Password and I think everybody should be using it for their own safety, but it has to be super easy to use.

    I agree with you completely. It should be easier for people to secure their digital lives. That's why we're working at this from all angles every day to try to improve things. There's inherently a fairly large "wildcard" in the form of websites, which we have no control over, but when people tell us the tough ones they encounter we're happy to investigate and see if there's a way to work around it. If you or your loved ones run into a specific issue, be sure to let us know the details so we can look into it.

  • gveres
    gveres
    Community Member

    @gveres: I think you and Ana are just misunderstanding each other. This was your exchange:

    No we aren't saying the same thing because of ...

    But it seems like you've moved the goalposts with your last couple comments and are talking about something else entirely: prompting you when you generate a password, not when you use it on the site. More on that later.

    I have been talking about this the entire time. That's why I have been trying to restate it so that you guys would understand that I am not talking about what is there already. But that's ok. Now that you understand I am talking about a different work flow, one that is an explicit action, we can have a discussion where we are both on the same page. :)

    Please do understand that I have been using 1Password for a long time and I understand how it works. I am trying to suggest something that I believe improve an area where my experience has shown me that 1password is weak - setting a new password on a site and having that new password saved in 1password.

    My starting assumption is that with the current workflow defined in the document you linked to, 1password will recognize the update password about 50% of the time and that isn't good enough to rely on the existing workflow. I think this is where you and I differ. You are portraying that you believe this percentage is much higher and that it is perfectly adequate that the fall back process is so complicated. I disagree that the percentage is high and that the complexity of the fall back process is acceptable. Given my position, I suggested a new workflow that will work all the time with an easy escape valve when the site rejects the password that was generated.

    (BTW, that document you linked to needs to be updated because it says to click on "New Password" and the button label has been changed to "Generate Password").

    The other thing I would like to do is make sure you are looking at the brand new mini UI. It is quite different from before and it now has that "Generate password" button in the upper right corner, right above the login entry for the site I am looking at. Visually, this looks like it is part of the login entry, not a stand-alone button that generates a random password for no apparent reason. It visually looks like it is an action I can take on the displayed login entry, which I believe is a good thing.

    I might even suggest that there is a button added to the upper right corner of the 1password main app login entry detail pane that would kick off the process I have suggested for changing the password.

    I hope that what I am suggesting is clear. If i want to change the password on a site, I would do the following with the new workflow:
    1. navigate to the site's change password page (this is done manually, because, as you pointed out, 1password doesn't know where every site's change password page lives)
    2. I click on the browser extension button to bring up 1password mini, which is showing me the login entry for the site with a Generate New Password button in the upper right corner of the login entry
    3. I likely have to copy the existing password and paste it into the appropriate field (or I can do auto-fill hot key)
    4. I click on the generate new password button and a new password is copied to the clipboard and it updates the password of the login entry (if there are multiple entries, it asks which one I am changing).
    5. I paste the new password in the appropriate fields on the page and click submit
    6. If the password change was successful, I am done because 1password is already up to date
    7. if the site rejects the password, I bring up the mini again and click the affordance for reverting to the previous password and I start again

    It's an interesting idea, but there's at least one big reason why I doubt we'll do that: it would be incredibly annoying. Imagine that you're generating a few passwords for different things, or just trying to find a good one (on a site that has onerous "requirements", for example):

    If you are generating passwords for some random purpose, bring up the main 1password UI and start creating passwords there.
    If the site has onerous requirements, the workflow above handles that with the revert to previous password option.

    One of the most common complaints we've had recently is that 1Password saves a Password item automatically, even though it's done that for years, because some UI changes have made this more obvious. I don't personally think that "annoyance" outweighs the importance of the "safety net" of having the Password saved just in case...but I can absolutely see that having an autosave window come up each time would annoy even more people.

    I am one of those people who thinks that saving the password in the list of passwords is annoying. Actually saving the password there isn't the annoying part, the annoying part is that it shows up in the main list of items, so I see these passwords and their login entry when I am browsing the list of items in 1password. It would be nice if they were hidden by default but accessible.

    But for your last comment about this autosave window being even more annoying, I think that stems from the expectation that the button in the mini ui is for generating passwords for some unrelated use. As I mentioned above, to me, visually it looks like it is part of the login entry and the only use I expected from it was to generate a new password for the site I am on. I bet you would find that is the 90% use case and the other use cases could be handled just as well from the main 1password UI.

  • gveres
    gveres
    Community Member

    @brenty also one more comment about the document you linked to. It is not complete. It doesn't provide the user any guidance on how to update the password when 1password fails to recognize the password change. It only provides documentation on the happy path and not the fall back workflow. Given the percentage of time that 1password fails to recognize the password change it really needs to document the complicated fall back workflow. And the documentation should include searching for the new password in the list of passwords in case the password was removed from the clipboard before the user managed to find and edit the login entry.

    I just told my wife (UI designer for the past 25 years) about this conversation and her comment was "oh yea, changing passwords in 1password is so complicated, I really don't know how to do it".

  • AGAlumB
    AGAlumB
    1Password Alumni

    @gveres: Thanks for your reply, and for clarifying earlier. Keeping in mind that any change will break someone's workflow, we need to weigh things carefully. Perhaps we can do something similar to what you're suggesting in the future. Thanks for the suggestions! In the mean time, we'll update the support article (you're absolutely right: we changed that word in the app last week and it needs to be updated; thank you!) And we'll continue to test sites on our own and those that customers bring to our attention, file issues for investigation, and then work on ways to make 1Password smarter over time. I've never said anything about a percentage since the sites you frequent will certainly not match all those I've tested over the years and use myself. So the percentage of failure for you may be higher based on your personal habits. Overall, from testing thousands, that's been the exception rather than the rule. But if your experience has been less than stellar, I'm sorry about that. There's definitely room for improvement, and we'll keep at it. So please let us know the specifics if you encounter issues with saving or filling in the future. Cheers! :)

    ref: web/support.1password.com#1999

  • AGAlumB
    AGAlumB
    1Password Alumni

    also one more comment about the document you linked to. It is not complete. It doesn't provide the user any guidance on how to update the password when 1password fails to recognize the password change. It only provides documentation on the happy path and not the fall back workflow.

    @gveres: You're not wrong about that.

    Given the percentage of time that 1password fails to recognize the password change it really needs to document the complicated fall back workflow.

    But the "percentage" thing you keep referring to is based solely on your own personal experience. Again, I'm sorry that you've had a bad time with this, and we'll continue to work to improve it. But we could argue about this all day and not get anywhere, as you haven't given me any specific examples, and I'm drawing on a much larger sample size as far as user interactions and internal testing.

    And the documentation should include searching for the new password in the list of passwords in case the password was removed from the clipboard before the user managed to find and edit the login entry.

    It does:

    If you used the password generator and can’t find the password to sign in

    I just told my wife (UI designer for the past 25 years) about this conversation and her comment was "oh yea, changing passwords in 1password is so complicated, I really don't know how to do it".

    That's what we're here for. Let us know if you run into trouble with a specific site. We'll be happy to help. I just can't offer you -- or your loved ones -- further suggestions without a concrete example. :)

This discussion has been closed.